Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website link, containing a harmful JavaScript rule within the area parameter. The screenshot that is following the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s server: (please be aware top of the area provides the XSS payload plus the base section is the identical payload encoded with URL encoding):

The after screenshot demonstrates an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload delivered previous within the part parameter as well as the injected code that is javaScript performed within the context for the WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. The loaded JavaScript code will be properly used for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for example email, is exfiltrated also.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.

steal_token function:

The event produces A api call to the host. Users cookies that are delivered to the host considering that the XSS payload is performed into the context of this application’s WebView.

The host reacts having a vast json containing the users’ id additionally the verification token also:

Steal information function:

An HTTP is created by the function request endpoint.

In line with the information exfiltrated within the function that is steal_token the demand has been delivered aided by the verification token plus the user’s id.

The host reacts with all the current information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Send information to attacker function:

The big event produces a POST request into the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The after screenshot shows an HTTP POST demand provided for the attacker’s host. The demand human anatomy contains all the victim’s information that is sensitive

Performing actions with respect to the target can also be feasible because of the exfiltration regarding the victim’s verification token as well as the users’ id. These records can be used when you look at the harmful JavaScript code (just like used in the steal_data function).

An assailant can perform actions such as forward messages and alter profile data as a result of the information exfiltrated within the steal_token function:

  1. Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

the info exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Publicity

for the duration of the study, we now have discovered that the CORS policy regarding the API host just isn’t configured correctly and any beginning can deliver demands towards the host and read its responses that are. The request that is following a demand delivered the API host through the beginning

The host will not validate the origin properly and reacts because of the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: true headers:

Only at that true point on, we understood that individuals can deliver needs towards the API host from our domain without getting obstructed by the CORS policy.

The moment a target is authenticated on OkCupid application and browsing to your attacker’s internet application, an HTTP GET demand is delivered to containing the victim’s snacks. The server’s reaction has a vast json, containing the victim’s verification token and also the victim’s user_id.

We’re able to find more of good use information in the bootstrap API endpoint – sensitive and painful API endpoints when you look at the API host:

The after screenshot shows painful and sensitive PII data exfiltration from the /profile/ API endpoint, making use of the victim’s user_id while the access_token:

The after screenshot shows exfiltration for the victim’s communications through the /1/messages/ API endpoint, utilising the victim’s user_id and also the access_token:


The field of online-dating apps is rolling out quickly over the years, and matured to where it is at today aided by the change up to a world that is digital specially in the past 6 months – because the outbreak of Coronavirus around the world. The “new normal” habits such as for instance as “social distancing” have pressed the dating globe to solely count on electronic tools for help.

The study offered right right right here shows the potential risks connected with one of several longest-established & most apps that are popular its sector. The need that is dire privacy and information safety becomes a lot more essential whenever a great deal personal and intimate information being stored, handled and analyzed in a application. The platform and app was made to create people together, but needless to say where individuals get, criminals will observe, hunting for effortless pickings.

Leave a Reply

Your email address will not be published. Required fields are marked *